Chapter 14 Enterprise System Risks and Controls
Chapter Learning Objectives • Describe the relationship between enterprise risks, opportunities, and controls • Explain the levels at which enterprise risks occur • Use the REA pattern to identify sources of enterprise risk • Identify specific controls to prevent, detect, and recover from enterprise risks
The Relationship between Risks, Opportunities, and Controls • Risks • A risk is any exposure to the chance of injury or loss (also known as a threat). • Opportunities and Objectives • Opportunity and risk go hand in hand. You can't have an opportunity without some risk and with every risk there is some potential opportunity. • Controls • A control is an activity performed to minimize or eliminate a risk.
Internal Control Systems • Congress passed the Sarbanes-Oxley Act requiring publicly traded companies to issue reports on their internal control systems along with their annual financial reports • Management is responsible for establishing and maintaining adequate internal controls for financial reporting • Reports must include assessments of the effectiveness of the internal controls and the financial reporting procedures • Sarbanes-Oxley also requires auditors to attest to and report on management’s assessments • AICPA’s Statement on Auditing Standards No. 94 established standards for auditing internal controls • COSO Reports stress the importance of examining control at many levels of detail
High Materiality of Risk Likelihood Of Loss Low Large Small Size of Potential Impact Materiality and Risk
COSO Internal Control Integrated Framework • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of the AAA, AICPA, IIA, IMA, and FEI. COSO’s internal control integrated framework is considered the authority on internal controls. • COSO’s internal control model has five components: • Control environment • Risk assessment • Control Activities • Information and communication • Monitoring
Control Environment • Control environment sets the tone of the organization, which influences the control consciousness of its people. This foundation provides discipline and structure upon which all other components of internal control are built. • The control environment includes the following areas: • Integrity and ethical behavior • Commitment to competence • Board of directors and audit committee participation • Management philosophy and operating style • Organization structure • Assignment of authority and responsibility • Human resource policies and practices
Risk Assessment • Risk assessment identifies and analyzes the relevant risks associated with the organization achieving its objectives. • Risk assessment forms the basis for determining what risks need to be controlled and the controls required to manage them.
Control Activities • Control activities are the policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Controls have various objectives and may be applied at various organizational and functional levels.
Control Activities • Objectives - Prevent, Detect, and Correct • Preventive controls focus on preventing an error or irregularity. • Detective controls focus on identifying when an error or irregularity has occurred. • Corrective controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity. • All else being equal, it is best to prevent errors and irregularities • Error versus Irregularity • Error is unintended mistake • Irregularity is an intentional effort to cause loss to an enterprise
Information and Communication • The information system consists of the methods and records used to record, maintain, and report enterprise events. The quality of the system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. • The information system should do each of the following to provide accurate and complete information in the accounting system and correctly report the results of operations: • Identify and record all business events on a timely basis. • Describe each event in sufficient detail. • Measure the proper monetary value of each event. • Determine the time period in which events occurred. • Present properly the events and related disclosures in the financial statements.
Information and Communication • The communication aspect of this component deals with providing an understanding of individual roles and responsibilities pertaining to internal controls. • People should understand how their activities relate to the work of others and how exceptions should be reported to higher levels of management. • Open communication channels help insure that exceptions are reported and acted upon. • Communication also includes the policy manuals, accounting manuals, and financial reporting manuals.
Monitoring • Monitoring is the process of assessing the quality of internal control performance over time • Monitoring involves assessing the design and operation of controls on a timely basis and taking corrective actions as needed • This process is accomplished by ongoing monitoring activities by management as they question reports that differ significantly from their knowledge of operations • Performance reviews provide meansfor monitoring • Compare this year to last year • Compare actual to budget • Compare related items to each other
Risk Identification • Economy Risks • Affect an entire economy • Examples include global economic downturn, war, epidemic, terrorism, environmental disasters • Industry Risks • Affect an entire industry • Examples include industry wide cost increases or demand decreases, or an economy risk that has an especially strong effect on a specific industry
Risk Identification • Enterprise Risks • Internal • Lack of ethics, low employee morale, employee incompetence • External • Increased competition, reduced brand quality perceptions, crises involving business partners (value system relationships), catastrophe that interrupts operations, merger or acquisition • Business Process Risks • Risks associated with business process objects • R’s, E’s, A’s, and R-E, E-E, E-A, R-A relationships • Information Process Risks • Risks associated with recording, maintaining, and reporting information about business processes
Questions to identify enterprise risk • Does the enterprise hire competent people who possess the knowledge and skills needed to perform their assigned jobs? • Does management have a conservative or reasonable approach in accepting business risks and in reporting financial results? • Is there a board of directors with outside representatives? • If the entity undergoes an annual audit of its financial statements, does an audit committee oversee the audit? • Is the enterprise organizational structure well-defined with appropriate division of duties and responsibilities and identified reporting relationships so that important activities are planned, executed, controlled, and monitored on a timely basis? • Has management developed a culture that emphasizes integrity and ethical behavior? • Does the enterprise have a whistleblower policy that encourages employees to inform management or the board of directors of fraudulent activities observed in the firm’s operations?
Controls for Economy/Industry Risks • Economy and industry risks can be very difficult to control • Diversify to multiple industries • Use hedges and derivatives • Be outwardly focused • Pay attention to industry and economy trends and market demands • Gather and monitor information to enhance ability to predict trends and product replacements
Controls for Enterprise Risks • Respond quickly to drops in perceived brand quality or firm reputation • Purchase insurance • Use sound personnel practices • Set a strong “tone at the top” • Create contingency plans to minimize business interruptions
Controls for Business Process Risks • Resources • Resource Risks • Theft, Loss, Waste, or Damage • Obsolescence • Resource Risk Controls • Separation of Duties (preventive) • Physical counts and Reconciliations (primarily detective; may help prevent loss too) • Insurance (corrective) • Asset tracking devices (primarily detective; however, often help prevent loss too)
Controls for Business Process Risks • Instigation Event Risks • Failure to inform customers of product features • Mistakes in ads or promotions • Unnecessary/unwanted sales call presentations • Customer can’t find information needed • Inability to track results of marketing efforts • Unproductive salespeople • Failure to identify need for input resources in timely manner • Requisitioning unnecessary or wrong resources • Inability to find source for needed resources • Failure to approve valid requisitions • Requisitioning items for which budget is unavailable
Controls for Business Process Risks • Controls for Instigation Event Risks • A myriad of procedural controls may be used to specifically address the risks on the previous slide • Accurate querying of a complete information system with adequate data entry controls combined with the procedural controls provides effective means for controlling instigation event risks
Controls for Business Process Risks • Mutual Commitment Event Risks • Failure to accept desirable, valid sale orders • Acceptance of undesirable or invalid sale orders • Commitment with an unrealistic delivery date • Commitment to provide goods/services at unprofitable price • Failure to place desirable, valid purchase orders • Placement of undesirable or invalid purchase orders • Failure to provide adequate lead time to vendors • Failure to obtain lowest possible cost for highest possible quality • Controls • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Business Process Risks • Economic Decrement Event Risks • Failure to ship goods in response to valid sale order • Shipment of goods not ordered or not authorized • Shipment of goods to or by invalid agent • Poor packaging used in shipment • Shipment via a poor carrier or route • Lost sales due to untimely shipments • Failure to pay for goods received in a timely manner • Duplicating payment for same purchase • Failure to take advantage of early payment discounts • Controls for Economic Decrement Event Risks • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Business Process Risks • Economic Increment Event Risks • Failure to receive cash as result of sale • Accepting duplicate cash receipts for same sale • Failure to deposit cash into bank in timely manner • Depositing cash into wrong bank account • Failure to receive goods in response to purchase order • Receipt of goods not ordered • Receipt of wrong goods or incorrect quantity of goods • Damage of goods during receiving process • Controls for Economic Increment Event Risks • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Business Process Risks • Economic Decrement Reversal Event Risks • Failure to accept goods for legitimate sale return • Acceptance of goods for illegitimate sale return • Approval of sale return by unauthorized employee • Recording sale return that didn’t occur • Economic Decrement Reversal Event Risks • Failure to return unsatisfactory goods • Return of goods that enterprise needed • Approval of purchase return by unauthorized employee • Recording purchase return that didn’t occur • Controls • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Information Process Risks • System Resource Risks and Controls • Physical access controls • Are adequate controls in place to prevent unauthorized physical access to the computer equipment? • What if it is on a network so that the intruder does not need to be physically present? • Logical access controls • Are adequate controls in place to prevent unauthorized logical access to the programs and data in the system? • Access control matrix identifies functions each user is allowed to perform and what data and programs the user can access after gaining access to the system • Password is a unique identifier only the authorized user should know and which the user must enter to gain access to the system
Controls for Information Process Risks • System Resource Risks and Controls • Logical access controls, continued • Require user to authenticate themselves by providing • Something they know • E.g. a user id and password • Something they possess • E.g. a smart card or token • Something they are • E.g. biometric measurements by devices that read fingerprints, retinal scans, voice recognition, or digital signature recognition
Case In Point: Passwords • Surveys show that most passwords are “no-brainers” for hackers trying to break into a system. • The most common password is the users own name or the name of a child. The second most common password is “secret.” • Other common passwords in order of usage are: • Stress related words such as “deadline” or “work” • Sports teams or sports terms like “bulls” or “golfer” • “Payday” • “Bonkers” • The current season (e.g. “winter” or “spring”) • The users ethnic group • Repeated characters (e.g. “bbbbb” or “AAAAA”) • Obscenities or sexual terms
Cases In Point: Tokens and Biometrics • Token system • Authenticates a user through a hardware device combined with a log-in password • Smart cards incorporate randomly generated one-time-only password codes and are synchronized with host system random code generator • Active badge technology • Automatically authenticates users who come within a designated range of the receivers via weak radio signals • Biometric authentication • Compares fingerprints, palm prints, retina eye patterns, signatures, voices, keyboard-typing patterns, or facial patterns
Controls for Information Process Risks • Terminal identification codes • Prevent access by unauthorized terminals over communication lines • Host computer can require a terminal to electronically transmit its identification code that proves it is an authorized terminal and defines the type of transactions the terminal user can perform • Encryption • Protects highly sensitive and confidential data • Is a process of encoding data entered into the system, storing or transmitting the data in coded form, and then decoding the data upon its use or arrival at its destination.
Controls for Information Process Risks • System Failure Protection • Hardware failures may result in business interruptions and loss of data • Proper maintenance of equipment and facilities • Operate equipment in appropriate physical environment • Backup system components (e.g. extra disk storage, printers, or communication channels) • Similar to backup engines on a plane • Power source failures may also result in business interruptions and loss of data • Uninterruptible power supplies (UPS) provide battery support and sound an alarm when power is interrupted • Allow time to top computer processes, back up data and instructions, and shut down properly • Surge protectors provide protection against power surges or spikes
Controls for Information Process Risks • System Failure Protection • Virus protection (anti-virus) software • Viruses are malicious software programs that attach themselves to other applications without the user’s knowledge • Worms are more invasive, self-replicating types of viruses • When infected file is executed, virus or worm also executes and may cause damage such as deleting files, destroying hard disks, or even crashing entire systems • Anti-virus software is designed to search for and destroy known viruses and worms • Don’t protect against unknown viruses and worms • Firewalls • Combinations of hardware and software used to shield a computer or network from unauthorized users or from file transfers of unauthorized types
Controls for Information Process Risks • Software Processing Controls • General software controls • System Development and Maintenance Procedures • Care in specifying requirements • Use of test data to verify accuracy of programs • Separation of duties between programmers, system analysts, data control group, and operations personnel • Network Operating System (NOS) controls • Does the NOS have adequate controls to prevent unauthorized logical access? • Applications may often be accessed through holes in the NOS layer • Application software controls • Does the application software contain adequate controls to prevent unauthorized access and data entry?
Controls for Information Process Risks • Application Controls • Data Input Controls • Event processing rules • should be built into systems to verify the prescribed rules are followed • Example Rule: A customer may exist in our database before participating in a related sale event, but it is not permissible to record a sale event without identifying the related customer • Relationship: ParticipationConnected Entities: (0, ) Customer (1, ) Sale • Set field property to require data entry in the Customer ID that is posted into the Sale table as a foreign key
Controls for Information Process Risks • Application Controls • Data Entry Verification • Closed Loop Verification • Uses one input data item to locate the record to be updated • Displays other data from record so data entry person can verify it is the desired record to update • E.g. user enters customer id; application displays user name and address • Key Verification (also called rekeying) • Input data is entered twice (often by two different people) • Differences are highlighted and response is required to verify correct entry
Controls for Information Process Risks • Application Controls • Edit checks • Field Edit Checks control field level data • Check Digit – apply formula to account number to calculate check digit and append it to account number • Completeness check – verifies all critical field data are entered • Default Value – sets field contents to prescribed values • Field or Mode check – verifies entered data type is appropriate • Range (limit) check – compares entered data to predetermined upper and/or lower limit • Validity/ set check – compares entered data to prespecified data stored within system
Controls for Information Process Risks • Application Controls • Edit checks • Record Edit Checks control record level data • Master Reference check (file-based system) – verifies an event record has a corresponding master record to be updated • Referential Integrity (database system) – ensures every posted foreign key attribute represents an actual primary key value • is basically a master reference check in a database • Reasonableness check – verifies whether amount of event record appears reasonable when compared to other elements associated with each item being processed • Valid Sign check – highlights illogical balances in a master file record (e.g. negative quantity-on-hand)
Controls for Information Process Risks • Application Controls • Edit checks • Batch Edit Checks control batches of events • Sequence check – verifies records in batch are sorted in proper sequence and highlights missing items • Transaction Type check – verifies all transactions in batch are of same category • Batch Control totals – verify all transactions within a batch are present and have been processed • Hash Control total – sum of attribute for which sum has no real meaning • Financial/Numeric total – sum of financial attribute • Record Count Control total – total of the number of records in a batch
Batch Control TotalsHow are they generated and verified? • Typically batch control totals are generated manually as batches are created; this happens before data from documents are entered into a computerized process. • For example: • Clerk separates day’s remittance advices into batches, each containing approximately 100 documents. • Clerk creates a “batch header” for each batch; the batch header will include an identifying code (i.e., a “batch number”) and a date. • Clerk uses a 10-key adding machine to create a batch total of the remittance advice amounts that can then be compared to the computer-generated batch total.
Batch Control TotalsHow are they generated and verified? • Example Flowchart
Controls for Information Process Risks • Application Controls • File Controls • Devices or techniques to verify the correct file is updated and to prevent inadvertent destruction or inappropriate use of files • External file labels – identify a storage medium’s contents on the outside; easily seen by users; easily removed • Internal file labels – identify a storage medium’s contents within the files themselves; can’t be easily removed; not as visible to user • Lockout procedures – used by database management software to prevent multiple applications or users from updating the same record or data item simultaneously • Read-only file designation – prevents data alteration or storage of new data • File protection rings – removal of ring makes device read-only
Controls for Information Process Risks • Application Controls • Data Loss and File Reconstruction Capability • Maintain backup or duplicate copies of current data files, programs, and documentation • File reconstruction – reprocessing event data against master resource or agent reference data • Batch process file reconstruction • Grandparent-parent-child approach • Real-time process file reconstruction
Batch processing and file reconstruction Batch Processing
Real-time processing and file reconstruction Real-time Processing Real-time File Reconstruction
Summary • Controlling enterprise risk is crucial for long-term enterprise success. • Controls over the enterprise information system are as important as procedural controls over the enterprise activities • The REA ontology may be used as guidance for considering risk areas and developing controls for those risks • Preventive controls should always be the goal; where prevention is impossible or impractical, then detection and correction should be employed • Detection and correction should also be employed as secondary controls (as backup) even when preventive controls are in place
Chapter 14 End of Chapter